Re: Directory migration

On Wed, 22 Apr 2009 00:13:51 Michael Ströder wrote:
> Ian wrote:
> > On Tue, 21 Apr 2009 23:07:11 Michael Ströder wrote:
> >> Hmm, which password scheme is used? Are the userPassword values prefixed
> >> with {MD5} or with {CRYPT}? In the latter case libcrypt on both systems
> >> could be incompatible. So this could be another issue. The general
> >> advice is not to use {CRYPT}. Recommended is to use salted SHA-1
> >> (password scheme {SSHA}).
> >
> > Well FreeBSD is using MD5 for it's encryption and so is the linux
> > workstation.
>
> This does not say much since there are also MD5-based password hashes in
> Unix crypt.
>
> > Is the LDAP server encrypting the hashes as well?
>
> No, the clear-text password is hashed depending on the password scheme
> together with a random salt.
>
> > They don't look like the
> > hashes in master.password
>
> What is master.password?
:-) FBSD equivalent of /etc/shadow
> > at all, so I guess it is? And that's one reason why
> > you need to use the PADL scripts when you import /etc/passwd into your
> > LDAP directory?
>
> If you import /etc/shadow or whereever your salted Unix password hashes
> are stored you would use the platform-specific password scheme {CRYPT}.
>
> > The password entry looks like this:
> > userPassword:: e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0=
>
> ^^
> The double-colon indicates that the value is base64-encoded in the LDIF
> representation.
>
> $ python -c "print
> 'e21kNX01NDdxRWpMNXlRbmZJcDdhREFYZDh3PT0='.decode('base64')"
> {md5}547qEjL5yQnfIp7aDAXd8w==
>
> So this is a plain MD5-hashed password. This password scheme is *not*
> platform-specific.
So I guess that's why it works logging in from a linux workstation, even
though the passwords originally were imported from the FBSD master.passwd
file and also works with squid running on the FBSD server.
> Is this from your original data?
Yes, taken from the original server's LDAP database.
> Do all entries have password values like this? Check that.
Yes, they do!
> If yes, then you should not have a problem to migrate this data.
Yet sadly I do have a problem :-/
I have used ldapsearch to confirm that the password hashes are the same on the
old & new servers when I use ldapsearch or slapcat to view them. Yet I can't
login on the new server. And since the hashes are salted, I can't tell if the
actual password is really different.
>
> > So I don't know what encoding it's using - is there a setting that
> > controls this? (nothing in slapd.conf that I can see).
>
> There are various relevant settings. But I wonder which component is
> used for setting the password and which mechanism it uses.
>
> You should also consult the fine articles in the FAQ-O-MATIC:
>
> http://www.openldap.org/faq/data/cache/419.html
I'll give that a read tonight and do some more testing.
Cheers,
--
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc

Attachment:
signature.ascDescription: This is a digitally signed message part.